I decided to go with TACACS.net, a free (not as in beer, though) command line oriented service that runs on Windows. It’s a very nice program and really cool that it can be downloaded for free. They charge for support, so I guess that’s how they keep the lights on.

Install TACACS.net on a domain controller and configure the software using the XML config files per the docs on the TACACS.net website. The three main config files are:

<?xml version="1.0" encoding="UTF-8"?>
<!-- Version 1.2 -->
<!--This is the configuration file for TACACS+ clients. A TACACS+ client, as defined by the RFC, is the client that is
making a request to the TACACS+ server such as a router, switch, or firewall-->
<Clients xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ClientGroups>
<ClientGroup Name="CoreRouters">
<Secret ClearText="shh-dont-tell" DES=""> </Secret>
<Clients>
<Client>10.6.10.1</Client>
</Clients>
</ClientGroup>
<ClientGroup NAME="LOCALHOST"> <!-- This ClientGroup is just for testing -->
<Secret ClearText="monkey" DES=""> </Secret>
<Clients>
<Client>10.6.15.49</Client>
</Clients>
</ClientGroup>
</ClientGroups>
</Clients>

After getting everything working, you can use a handy-dandy cli tool TACDES to create DES encrypted password hashes that you can store in the file instead of the plain-text ones.

Now we need to setup TACACS+ on the SRX with just a few configuration lines:

set system authentication-order [ password tacplus ]
set system tacplus-server 10.6.15.49 secret ssh-dont-tell
set system tacplus-server source-address 10.6.10.1
set system login user network-admins class super-user

And that’s pretty much it for basic TACACS+ setup so that you can login to your SRX with your AD credentials.